Content Management Sites (CMS) have become popular tools for businesses using the cloud. A CMS allows you to create e-commerce sites, blogs – pretty much anything you need to reach out to your customer base.
The problem is that hackers also like the sites because of their spotty security. WordPress, perhaps the best known CMS, has had well-documented problems for some time now. For instance, the cross-platform Tango chat application, which uses WordPress as a platform, was recently hacked by the Syrian Electronic Army (SEA).
But other content management sites are also at risk, as Brian Krebs pointed out in a blog post. A very simple hack, he wrote, could take down Joomla sites.
What these hacks seem to have in common is that the owners of the websites are using outdated versions of the CMS. As PC Magazine wrote about the Tango attack:
WordPress is a very popular platform for blog-style websites, and as such it's a prime target for attack. If your site relies on WordPress, you absolutely must keep the platform up to date, as many of the updates patch serious security vulnerabilities. Apparently Tango didn't; look what happened to them.
And Krebs wrote about the Joomla risk, stating that if you haven’t downloaded a critical update, your site is at risk:
The patch released on July 31, 2013 applies to Joomla 2.5.13 and earlier 2.5.x versions, as well as Joomla 3.1.4 and earlier 3.x versions. Joomla credits discovery of the bug to Web security firm Versafe, which says a simple exploit targeting the vulnerability is already in use. Joomla versions 2.5.14 and 3.1.5. fix a serious bug that allows unprivileged users to upload arbitrary .PHP files just by adding a “.” (period) to the end of PHP filenames.
In an article for TechWeek Europe, Barry Shteiman called CMS a hacker’s dream come true. The reason? Third-party code is loaded with vulnerabilities, and plug-ins and extensions are especially exploitable. And then, of course, you have the overall laziness of many users when it comes to applying patches and upgrades – a problem that we have seen causes problems in other applications.
Content management sites are popular because they are easy to use, no matter the level of skill. Unfortunately, too often when a technology is easy to use, security is an afterthought or no thought at all. Hackers understand that and take advantage. To keep your CMS-hosted website secure, keep an open dialogue with your host provider about security on its end and especially make sure that all updates are promptly installed.